Black Hat: There may be more Android "master keys" for corrupting mobile apps

Tim Greene |
Aug. 5, 2013

The Google operating system is patched for now but is a rich field for similar mischief, researcher says

Remember that Android mobile "master key" vulnerability that was patched last month? It turns out there are other opportunities within the Google operating system to perform similar attacks against Android mobile apps, a Black Hat conference speaker said this week.

"Realistically, there's more than one," says Jeff Forristal, the CTO of Blue Box who discovered the initial master key about six months ago. "There are multiple master keys."

The threat is that, as with the original master key, attackers could alter legitimate apps without being detected, giving the apps code to carry out malicious activities. A separate Black Hat briefing demonstrated how to alter code in Angry Birds to turn an Android phone into a spy phone that could record calls, take photos with the phone's camera and send personal data to a command and control server.

Forristal detailed during his Black Hat briefing how he came across the vulnerability in the first place. He was playing with an application that included delivering GPS coordinates for the phone running the app. He thought it would be fun to have the app display, for example, Antarctica for a phone in the U.S.

He employed a standard Android assembler/disassembler tool to do the work, but found that while it gave phony GPS information, it didn't display the location on a Google map like the unaltered app did.

Use of Google Maps is licensed and tied to a digital signature, and he needed to figure out how to alter the app without the changes resulting in the signature being rejected. Components of the app are hashed and those hashes are used to verify that each one is as it should be. Altering the code results in a new hash that doesn't match with the original hash, resulting in the altered code being rejected.

This procedure goes on among many layers of the code, but different procedures for checking the hashes are used between different layers, he says. He found a way that allowed the modifications he made to the app to fall between the cracks. "The evil file is outside the verification process," he says.

He listed some other Android faults that have been fixed but that allowed similar tinkering with applications. "These are the public disclosures," Forristal says, and there may be others.

He says that obtaining Android apps only from Google Play offers some level of assurance that the apps have been properly vetted for authenticity. But it's also possible to obtain perfectly legitimate apps outside Google Play.

For example, Amazon's ebook apps aren't malicious, but downloading them requires users to OK downloading apps from what Android calls unknown sources. That's fine, Forristal says, but many users don't bother to go back after the downloads to again ban unknown sources.